Can system with this method of patching be secure enough like system with rebuilded kernel and binares from stable source?

Welcome!

The -stable branch may contain fixes which were not deemed important enough to warrant the creation of a patch for -release. In terms of an equation:

-stable >= -release + installing all published patches.

To say whether these additional fixes to the -stable branch have any security implications, I suspect they don't, but this is an opinion. If these fixes had security implications of worth, the developers would make them available as publicly available patches to -release too.

Quote:

Can i now use stable ports tree, or i must to rebuild kernel and binares from stable source before that?

Technically, there are no library differences between -release & -stable. Section 15.4.1 of the FAQ also states:

Because no intrusive changes are made in -stable, it is possible to use a -stable ports tree on a -release system, and vice versa. There is no need to update all your installed packages after applying a few errata patches to your system.

Quote:

If i get stable source with cvs and rebuild kernel and binares, how to know or to check when he created a new stable?

Watch the errata page for published patches. Also, track the -stable CVS branch & look for check-in's to this branch. The cvs(1) manpage will give you information on what CVS commands will be needed. Information on how to download the -stable branch can be found in Section 5.3.3 of the FAQ.